This document proposes a methodology for aligning business and IT policies using a responsibility model. The methodology is a five-step approach consisting of collecting information, defining capabilities, accountabilities and commitments, linking responsibilities to processes, validating the model, and defining policies. It is illustrated with a case study from an IT company where they define an access control policy using this methodology and responsibility model. The responsibility model defines three components - capabilities, accountabilities, and commitments - to clarify roles and responsibilities for policy definition.
The document discusses organizational structures and how external pressures influence structure design to achieve synergy. It defines key terms like stress, structure, and synergy. It analyzes common structural forms like functional, divisional, and matrix structures. It also discusses newer structures like virtual organizations and how they promote horizontal coordination. Achieving synergy through mergers requires effectively managing interdependencies between activities.
The document discusses applying the DeLone & McLean Information Systems Success Model to measure the success of e-commerce systems. It proposes updating the original model by adding a service quality dimension and combining individual and organizational impacts into a net benefits construct. The updated model contains six dimensions: system quality, information quality, service quality, use, user satisfaction, and net benefits. These dimensions provide a framework for organizing e-commerce success metrics identified in the literature. Case examples are used to demonstrate how the model can guide the identification and specification of e-commerce success metrics.
This document discusses whether business process integration is feasible through the use of enterprise application integration (EAI) technology. It first provides background on business process integration and past approaches using ERP systems. It then explains that EAI offers a more flexible way to integrate business processes and systems without needing to change existing business processes or software. The document presents a case study that explores how a company implemented an EAI solution and whether it enabled the integration of business processes. The case study findings suggest that EAI technology can integrate business processes when combined with ERP systems in a more flexible manner.
The document discusses three schools of thought on enterprise architecture:
1) The Enterprise IT Architecting School focuses on aligning IT assets with business strategy through cost reduction and technology reuse.
2) The Enterprise Integrating School aims to effectively implement enterprise strategy through coherence across facets like IT, governance, and policies.
3) The Enterprise Ecological Adaptation School promotes organizational learning and innovation by designing facets to maximize learning.
The schools differ in their definitions of enterprise architecture and priorities, but most literature fits within focusing on IT-business alignment, enterprise coherence, or organizational adaptation.
Using Machine Learning embedded in Organizational Responsibility Model, added to the ten characteristics of the CIO Master and the twelve competencies of the workforce can help lead the Digital Transformation of the traditional public organizations to the Exponential.
Adopted topic modeling for business process and software component conformity...TELKOMNIKA JOURNAL
Business processes and software components, especially class diagrams, have a firm connection. Considering software components support the business process in providing an excellent product and service. Besides, business process changes affect on software component design. One of them usually appears on the label or name of the software component or business process. Sometimes, a related business process and software component appears in the different label but the same meaning rather than using the same label. This situation is problematic when there are many changes to be made, in which the software component's modifying process becomes quite long. Therefore, the software maintainers should obtain an efficient procedure to shorten the modifying process. One solution is by using conformity checking, which helps the software maintainers know which software component is related to a specific business process. This paper compared two leading topic modeling techniques, namely probabilistic latent semantic analysis (PLSA) and latent Dirichlet allocation (LDA), to determine which one has a better performancefor process traceability.
The document discusses organizational structures and how external pressures influence structure design to achieve synergy. It defines key terms like stress, structure, and synergy. It analyzes common structural forms like functional, divisional, and matrix structures. It also discusses newer structures like virtual organizations and how they promote horizontal coordination. Achieving synergy through mergers requires effectively managing interdependencies between activities.
The document discusses applying the DeLone & McLean Information Systems Success Model to measure the success of e-commerce systems. It proposes updating the original model by adding a service quality dimension and combining individual and organizational impacts into a net benefits construct. The updated model contains six dimensions: system quality, information quality, service quality, use, user satisfaction, and net benefits. These dimensions provide a framework for organizing e-commerce success metrics identified in the literature. Case examples are used to demonstrate how the model can guide the identification and specification of e-commerce success metrics.
This document discusses whether business process integration is feasible through the use of enterprise application integration (EAI) technology. It first provides background on business process integration and past approaches using ERP systems. It then explains that EAI offers a more flexible way to integrate business processes and systems without needing to change existing business processes or software. The document presents a case study that explores how a company implemented an EAI solution and whether it enabled the integration of business processes. The case study findings suggest that EAI technology can integrate business processes when combined with ERP systems in a more flexible manner.
Fractal organizations part ii – object based complexity managementKutlu MERİH
This document discusses object-based complexity management and modeling organizations as complex adaptive systems. It proposes modeling organizations and their components as objects with defined properties and behaviors. The organization is represented as a complex of interacting objects coordinated by a control object called the CORTEX. Key objects include administration, procurement, production and marketing. Relationships between objects are represented using a Sycamore Tree diagram with the CORTEX at the top. Measures like the Complexity Business Balance Card can be used to assess organizational performance and balance based on this object-oriented model.
The Relationships Between IT Flexibility, IT-Business Strategic Alignment and...IJMIT JOURNAL
What seems to still be the main concern for managers in the corporate world across the globe is IT business strategic alignment. This study seeks to address the research problem about the lack of alignment between IT and business strategies. Upon reviewing various literature on this subject, it was found that IT flexibility is one of the most vital factors that help sustain strategic alignment. The researcher upon having a detailed discussion on the possible areas associated with the present body of knowledge has discovered gaps in the studies that have been undertaken on strategic alignment and IT flexibility. This is because IT capability in relation to IT flexibility and strategic alignment has been ignored in the previous studies. As a result, this research proposes a relationship between IT flexibility (i.e., modularity, connectivity and compatibility), IT capability, and strategic alignment.
The document discusses organizational structure and its key elements. It defines work specialization, departmentalization, chain of command, span of control, centralization/decentralization, and formalization. It examines how these structural elements are determined by an organization's strategy, size, technology, and environment. Structures can range from simple to complex bureaucratic to organic designs like teams or virtual organizations. An organization's structure impacts employee behavior and different implicit models may influence perceptions of appropriate structures.
Enterprise Architecture (EA) has many definitions, school of thoughts and perspectives. According
to Buchanan (2010) EA is a strategic planning process that translates the business vision of an
enterprise and its strategy into enterprise change.
http://assignmentstudio.net
TOWARDS AUDITABILITY REQUIREMENTS SPECIFICATION USING AN AGENT-BASED APPROACHijseajournal
Transparency is an important factor in democratic societies composed of characteristics such as accessibility, usability, informativeness, understandability and auditability. In this research we focus on auditability since it plays an important role for citizens that need to understand and audit public information. Although auditability has been a subject of discussion when designing systems, there is a lack of systematization in its specification. We propose an approach to systematically add auditability requirements specification during the goal-oriented agent-based Tropos methodology. We used the Transparency Softgoal Interdependency Graph that captures the different facets of transparency while considering their operationalization. An empirical evaluation was conducted through the design and implementation of LawDisTrA system that distributes lawsuits among judges in an appellate court. Experiments included the distribution of over 300,000 lawsuits at the Brazilian Superior Labor Court. We theorize that the presented approach for auditability provides adequate techniques to address the cross-organizational nature of transparency
Trabajo desarrollado para crear un ambiente de aprendizaje apoyado con TIC para la Gestión de TI en las organizaciones. Realizado en el año 2010, en el programa de Maestría en Ingeniería, área Sistemas y Computación, Univ. de los Andes.
Integration impediment during ERP Developmentijtsrd
ERP (Enterprise Resource Planning) systems have increasingly been developed and integrated with other internal and external systems. This paper contributes to the field of enterprise systems integration by clarifying the concept of integration in the context of ERP systems. We investigated integration obstacles during ERP development in 5 large organizations through theme-based interviews. Besides considering integration as purely technical challenge, our findings reveal the other perspectives of integration. In total 31 environmental, technical, managerial, and organizational integration obstacles were identified from empirical data and further mapped with 13 ERP challenge categories derived from the literature. Our findings reveal that integration barriers are related to all 13 categories of ERP challenges. This indicates that integration should not be a separate project from ERP development. Identifying the integration obstacles is necessary for practitioners to develop counteractions to enterprise integration problems Jaychand Vishwakarma"Integration impediment during ERP Development" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-3 , April 2018, URL: http://www.ijtsrd.com/papers/ijtsrd12735.pdf http://www.ijtsrd.com/computer-science/other/12735/integration-impediment-during-erp-development/jaychand-vishwakarma
This document presents a method for using benchmarking in the enterprise architecture planning process. It discusses benchmarking best practices from other organizations to help develop the target architecture and transition plan. The method uses the Federal Enterprise Architecture Framework reference models to identify benchmarkable domains across the business, data, application and technology layers. A multi-step benchmarking model is then described that involves normalizing data, calculating distances between options, and restricting options to identify best practices for the target architecture. The goal is to reduce risks and speed up the enterprise architecture planning process by leveraging benchmarks from successful organizations.
The document discusses integrating innovation into enterprise architecture management. It proposes using an enterprise architecture approach based on a comprehensive architecture framework to align business, application, and infrastructure architecture. This framework addresses all dimensions relevant for enterprise innovation. The paper introduces an enterprise architecture development process that integrates innovation as a central element of design. It encompasses activities from business visioning to implementation. The roles of stakeholders from business and IT are also discussed.
This research proposes a maturity model that focuses on providing organizations a holistic view of the alignment between BPM/SOA in their current situation and in relation to their desired state. As such, it supports the organization in evolving towards BPM/SOA alignment, striving for a truly agile and flexible business-driven service-oriented enterprise that is highly responsive to the market dynamics in collaboration with their partners, customers and stakeholders within the ecosystem.
The chapter discusses the project management context, describing the systems view of projects and how they are influenced by organizational structures, cultures, and stakeholders. It emphasizes that projects must be managed within the broader organizational environment and stresses the importance of project phases and management reviews to ensure projects continue to support business needs and have the greatest chance of success.
The document discusses information security concerns of industry managers. A survey found that information security is the top concern of managers, even more than risks from the economy or natural disasters. While industries invest heavily in information security, most managers still trust their current security systems despite few having organizations well-adapted to new information risks. The complexity of assessing security risks is growing due to new IT capabilities, critical infrastructure developments, cloud services, and increasing cybercrime. Industries and academics must collaborate further on information security research to address these challenges.
The document proposes an agent-based architecture for multi-level security incident reaction in distributed telecommunication networks. The architecture has three levels: a low level interface with the infrastructure, an intermediate level using multi-agent systems to correlate alerts and deploy reactions across domains, and a high level for global supervision and policy management. The architecture was designed based on requirements like scalability, availability, autonomy, and robust reaction and alert management across distributed systems. It was successfully tested for implementing data access control policies.
This document proposes a metamodel for modeling reputation-based multi-agent systems using an adaptation of the ArchiMate enterprise architecture modeling framework. It describes a case study applying this metamodel to model an electrical distribution critical infrastructure system. Key elements of the metamodel include:
- Representing agents and their behaviors through policies that integrate both behavior and trust components
- Modeling trust relationships between agents using a reputation-based trust model
- Illustrating the metamodel layers and components on a system that detects weather alerts and broadcasts messages to the public through various channels like SMS or social media
This document discusses the NOEMI model, a collaborative management model for ICT processes in SMEs. The model was developed by the Centre Henri Tudor and tested with a cluster of 8 partner SMEs. Key aspects of the model include defining ICT activities across 5 domains, assessing each SME's capabilities, and having an operational team manage activities for the cluster under a coordination committee. The experiment showed improved cost control, management, and partner satisfaction compared to alternatives like outsourcing or hiring individual IT staff. The research is now ready for market transfer as the successful model is adopted long-term by participating SMEs.
This document proposes a multi-agent architecture for incident reaction in information system security. The architecture has three layers - low level interacts directly with the infrastructure, intermediate level correlates alerts and deploys reaction actions using multi-agent systems, and high level provides supervision and manages business policies. The architecture was tested for data access control and aims to quickly and efficiently react to attacks while ensuring policy compliance. The document discusses requirements like scalability, autonomy, and global supervision. It also describes the key components of alert management, reaction decision making, and policy definition/deployment to implement the architecture using a multi-agent approach.
This document proposes an automatic reaction strategy for critical infrastructure SCADA systems. It defines a three-layer metamodel for modeling SCADA components and two types of policies (cognitive and permissive) that govern component behavior. It then presents a two-phase method for identifying these policies from the SCADA architecture and formalizing them to support an automatic reaction strategy. This strategy is modeled as an integral part of the SCADA architecture using the defined metamodel and policy identification method. It includes organizational and application layers with main actors, strategies, and components that realize the reaction policies based on expected automation levels.
Umakanta Baral is a Chartered Accountant with 15 years of experience in financial management, accounting, auditing, taxation, and compliance. He is currently a partner at DAS & DAS Chartered Accountants, where he handles statutory, internal, and tax audits for various organizations. Previously, he held managerial roles in finance and accounting at multiple companies across various industries. He has a B.Com from Utkal University and is a qualified CA from ICAI.
Strengthening employee’s responsibility to enhance governance of it – cobit r...christophefeltus
This document presents a study that aims to develop and validate a responsibility model to improve IT governance. The researchers analyzed existing responsibility concepts from literature and frameworks like COBIT. They developed a UML model of responsibility with key concepts like obligation, accountability, right, and commitment. The researchers then compared their model to COBIT's representation of responsibility. They propose enhancements to COBIT based on responsibility concepts from their model, aiming to provide a common understanding of responsibility across frameworks to benefit IT governance. The paper illustrates proposed changes to COBIT's process for identifying system owners.
Building a responsibility model using modal logicchristophefeltus
This document discusses building a responsibility model using modal logic concepts of accountability, capability, and commitment. It begins with a literature review of existing policy and access control models. The review finds that while concepts like rights, roles, and obligations are addressed, existing models do not fully cover all three responsibility concepts. The document then proposes a preliminary responsibility model and definitions for its components. It suggests a formalization of key concepts using deontic logic adapted from alethic logic. The goal is to provide a framework to define concepts, verify organizational structures, and detect policy issues.
This document discusses building a responsibility model using modal logic. It begins with a literature review of existing policy models and engineering methods related to concepts of accountability, capability and commitment. It identifies that while some concepts like rights and roles are commonly addressed, models do not fully cover all responsibility components. The document then proposes a preliminary responsibility model and defines the main concepts of capability, accountability and commitment. It suggests a formalization of these concepts using deontic logic to help analyze organizational structures and policies for consistency and problems.
This document proposes a responsibility modeling language (ReMoLa) to align access rights with business process requirements. ReMoLa is a responsibility-centered meta-model that integrates concepts from the business and technical layers, with the concept of employee responsibility bridging the two. It incorporates four types of obligations from the COBIT framework to refine employee responsibilities and better assign access rights. ReMoLa maps responsibilities to roles in the RBAC model to leverage its advantages for access right management while ensuring responsibilities align with business tasks and employee commitment.
Re mola responsibility model language to align access rights with business pr...christophefeltus
This document proposes a responsibility modeling language (ReMoLa) to align access rights with business process requirements. ReMoLa is a responsibility-centered meta-model that integrates both business and technical perspectives to bridge the gap between them. It uses the concept of employee responsibilities to link business obligations to the technical capabilities and access rights needed to fulfill those obligations. The meta-model includes concepts like responsibilities, obligations, accountabilities, capabilities, and rights. It also maps these concepts to the four types of obligations from the COBIT framework to better define employee responsibilities and access rights assignments based on real needs.
Enhancement of business it alignment by including responsibility components i...christophefeltus
This document proposes enhancements to the Role-Based Access Control (RBAC) model by integrating the concept of responsibility. It summarizes the existing RBAC model and user/permission assignment processes. It then presents a responsibility model built around three concepts: an employee's obligations derived from responsibilities, the rights required to fulfill obligations, and the employee's commitment to fulfill obligations. The paper argues RBAC could be improved by incorporating acceptance of responsibility within the role assignment process. It proposes integrating the responsibility model with RBAC to address identified weaknesses and modeling the integrated model using the OWL ontology language.
Sim an innovative business oriented approach for a distributed access managementchristophefeltus
This document proposes an innovative approach called SIM (Secure Identity Management) that aims to define access control policies in a way that is closely aligned with business objectives. It does this by linking concepts from the ISO/IEC 15504 process-based model for organizing work to concepts of responsibility. The approach also defines a multi-agent system architecture to automate the deployment of access policies across an organization's heterogeneous IT components and devices. This provides autonomy and adaptability. The goal is to improve how access rights are defined according to business needs and how those rights are deployed throughout the IT infrastructure.
This document discusses challenges with access rights management for information systems due to growing complexity from distributed systems and dynamic environments. It proposes an agent-based framework called SIM that focuses on aligning access policies with business objectives by linking them to processes and responsibilities defined in the ISO/IEC 15504 standard. The goals are to define policies based on business needs and automatically deploy them through IT infrastructure using a multi-agent system architecture.
An agent based framework for identity management the unsuspected relation wit...christophefeltus
The document discusses access rights management in information systems and proposes an innovative approach. It aims to better align access policies with business objectives by linking them to organizational processes and responsibilities. The approach uses concepts from the ISO/IEC 15504 process assessment standard to define policies based on processes, outcomes, roles and responsibilities. It then proposes a multi-agent system to automate deployment of access policies across IT systems and devices in a flexible way. The approach seeks to improve on existing identity management solutions which can be rigid and difficult to integrate across organizations.
The document presents a responsibility model that includes accountability, capability, and commitment. The objectives of the model are to help organizations verify their structure and detect policy problems. It also provides a conceptual framework to define corporate, security, and access control policies. The paper reviews previous research and proposes a UML model of responsibility integrating its main concepts and relationships. It also selects a formal system to formally represent the model.
Building a responsibility model including accountability capability and commi...christophefeltus
The document presents a responsibility model that includes accountability, capability, and commitment. It aims to help organizations verify their structure and detect policy problems. The model provides a literature review on responsibility concepts in access control models and engineering methods. It then proposes a formal representation of the responsibility model using UML and a formal logic system. The analysis shows that an important variable is whether responsibility is perceived at the user or company level.
Aligning the business operations with the appropriate IT infrastructure is a challenging and critical activity. Without efficient business/IT alignment, the companies face the risk not to be able to deliver their business services satisfactorily and that their image is seriously altered and jeopardized. Among the many challenges of business/IT alignment is the access rights management which should be conducted considering the rising governance needs, such as taking into account the business actors' responsibility. Unfortunately, in this domain, we have observed that no solution, model and method, fully considers and integrates the new needs yet. Therefore, the paper proposes firstly to define an expressive Responsibility metamodel, named ReMMo, which allows representing the existing responsibilities at the business layer and, thereby, allows engineering the access rights required to perform these responsibilities, at the application layer. Secondly, the Responsibility metamodel has been integrated with ArchiMate® to enhance its usability and benefits from the enterprise architecture formalism. Finally, a method has been proposed to define the access rights more accurately, considering the alignment of ReMMo and RBAC. The research was realized following a design science and action design based research method and the results have been evaluated through an extended case study at the Hospital Center in Luxembourg.
Alignment of remmo with rbac to manage access rights in the frame of enterpri...christophefeltus
The document proposes aligning a Responsibility metamodel (ReMMo) with the Role-Based Access Control (RBAC) model to better manage access rights based on employee responsibilities within an enterprise architecture. It first defines the ReMMo to represent business responsibilities and related access rights. ReMMo is then integrated with the ArchiMate enterprise architecture framework. Finally, the paper proposes aligning ReMMo and RBAC and provides a reference model for engineering access rights based on aligning business roles, responsibilities, and RBAC roles. This approach uses responsibility as a pivot to integrate business and application layer access rights requirements.
This document proposes a method for constructing policy models in financial institutions to improve requirements engineering. The method defines responsibilities and ensures policies align across organizational levels from strategic to technical. It focuses on managers' responsibilities for business process outcomes and defines an ontology for policy model interoperability. The goal is to analyze policy reliability and its impact on operational reliability, which is important for governance regulations.
An ontology for requirements analysis of managers’ policies in financial inst...christophefeltus
This document proposes a method for constructing policy models in financial institutions to improve requirements engineering. The method defines responsibilities and ensures policies align across organizational levels from strategic to technical. It analyzes reliability of the policy system and its impact on business processes. The case study examines operational risk management policies in a bank to demonstrate defining policy outcomes and responsibilities for each process according to Basel II requirements.
Preliminary literature review of policy engineering methodschristophefeltus
This document provides a preliminary literature review of policy engineering methods related to the concept of responsibility. It begins by discussing Camerer's observations that policy research often lacks agreed upon definitions, testing of theories against alternatives, and building upon previous work. It then reviews how responsibility is addressed in access control models like MAC, DAC, RBAC and UCON, noting they focus primarily on rights. Finally, it introduces the author's intention to propose a new policy model and engineering method that incorporates responsibility by considering stakeholders' capabilities, accountability and commitments, and uses requirements engineering principles while accounting for business processes.
This document provides a preliminary literature review of policy engineering methods related to the concept of responsibility. It summarizes key access control models and discusses how they address concepts like capability, accountability, and commitment. The document also reviews engineering methods and how they incorporate responsibility considerations. The overall goal is to orient further research towards a new policy model and engineering method that more fully addresses stakeholder responsibility.
State of the art of agile governance a systematic reviewijcsit
This document summarizes a systematic literature review on the state of agile governance. The review identified over 1,900 studies from 10 databases, of which 167 provided evidence to answer the research questions. The studies were organized into four major groups: software engineering, enterprise, manufacturing, and multidisciplinary. The review provides a definition of agile governance, six meta-principles, and a map of findings organized by topic and classified by relevance and convergence. The evidence suggests agile governance is a new, wide, and multidisciplinary area focused on organizational performance that requires more intensive study.
Similar to Methodology to align business and it policies use case from an it company (20)
Multi-Agent System (MAS) monitoring solutions are designed for a plethora of usage topics. Existing approach mostly used cloned back-end architectures while front-end monitoring interface tends to constitute the real specificity of the solution. These interfaces are recurrently structured around three dimensions: access to informed knowledge, agent’s behavioural rules, and restitution of real-time states of specific system sector. In this paper, we propose prototyping a sector-agnostic MAS platform (Smart-X) which gathers in an integrated and independent platform all the functionalities required to monitor and to govern a wide range of sector specific environments. For illustration and validation purposes, the use of Smart-X is introduced and explained with a smart-mobility case study.
This document provides an agenda and overview for a joint workshop on security modeling hosted by the ArchiMate Forum and Security Forum. The workshop aims to identify opportunities to improve the conceptual and visual modeling of enterprise information security using TOGAF and ArchiMate. The agenda includes introductions, a research spotlight on strengthening role-based access control with responsibility modeling, an open discussion on complementing TOGAF and ArchiMate with enhanced security modeling, and identifying next steps. The workshop purpose is to enable better security architecture decisions and drive usage of TOGAF and ArchiMate for security architecture.
This document proposes an innovative systemic approach to risk management across interconnected sectors. It suggests using enterprise architecture models to manage cross-sector risks in Luxembourg's complex ICT ecosystem. The approach would provide regulators an overview of all players and systems, as well as models of different sectors to analyze collected data and risks at a national level, fostering accurate and reactive risk mitigation across economic domains.
This document proposes extending the HL7 standard with a responsibility perspective to better manage access rights to patient health records. It presents the ReMMo responsibility metamodel, which defines actors' responsibilities and associated access rights. The paper aims to align ReMMo with the HL7-based eSanté healthcare platform model in Luxembourg to semantically enhance access controls based on users' real responsibilities rather than just roles. It will first map concepts between the two models, then evaluate the alignment through a prototype applying inference rules.
This document proposes a methodological approach for specifying services and analyzing service compliance considering the responsibility dimension of stakeholders. The approach includes a product model and process model. The product model has three layers: an informational layer describing service context and concepts, an organizational layer describing business rules and roles, and a responsibility dimension layer linking the two. The process model outlines steps for service architects to identify context, define concepts and rules, specify services, and analyze compliance. The approach is illustrated with an example of managing access rights for sensitive healthcare data exchange between organizations.
This document discusses integrating responsibility aspects into service engineering for e-government. It proposes a multi-layered approach including an ontological layer defining legal concepts, an organizational layer describing roles and stakeholders, an informational layer representing data structures and integrity constraints, and a technical layer representing IT components. A responsibility meta-model is also introduced to align responsibilities across these layers and facilitate interoperability between services that share data. The approach aims to ensure service compliance and manage risks associated with e-government services.
1) The document proposes a dynamic approach for assigning functions and responsibilities to agents in a multi-agent system for critical infrastructure management.
2) The approach uses an agent's reputation, which is based on past performance, to determine which agents receive which responsibilities as crisis situations change over time.
3) Assigning responsibilities dynamically based on reputation allows the system to continue operating effectively if an agent becomes isolated or has reduced capabilities during a crisis.
The document describes the NOEMI assessment methodology, which was developed as part of a research project to help very small enterprises (VSEs) improve their IT practices. The methodology aims to assess VSEs' IT capabilities in order to facilitate collaborative IT management across organizations. It was designed to be aligned with common IT standards like ISO/IEC 15504 and ITIL, but adapted specifically for VSEs. The methodology has been tested through several case studies with VSEs in Luxembourg, with promising results.
This document proposes an extension of the ArchiMate enterprise architecture framework to model multi-agent systems for critical infrastructure governance. The authors develop a responsibility-driven policy concept and metamodel layers to represent agent behavior and organizational policies across technical, application, and organizational layers. The approach is illustrated through a case study of a financial transaction processing system.
This document summarizes an experimental prototype of the OpenSST protocol for secured electronic transactions. OpenSST was developed to achieve high security, simplicity in software engineering, and compatibility with existing standards. The prototype uses OpenSST for the authorization portion of electronic payments in an e-business clearing solution. It describes the OpenSST message format and types, and discusses how OpenSST is implemented in the prototype's three-element architecture of an OpenSST proxy, reverse proxy, and server.
More from Luxembourg Institute of Science and Technology (13)
Ethical considerations play a crucial role in research, ensuring the protection of participants and the integrity of the study. Here are some subject-specific ethical issues that researchers need
Search for Dark Matter Ionization on the Night Side of Jupiter with CassiniSérgio Sacani
We present a new search for dark matter (DM) using planetary atmospheres. We point out that
annihilating DM in planets can produce ionizing radiation, which can lead to excess production of
ionospheric Hþ
3 . We apply this search strategy to the night side of Jupiter near the equator. The night side
has zero solar irradiation, and low latitudes are sufficiently far from ionizing auroras, leading to a lowbackground search. We use Cassini data on ionospheric Hþ
3 emission collected three hours either side of
Jovian midnight, during its flyby in 2000, and set novel constraints on the DM-nucleon scattering cross
section down to about 10−38 cm2. We also highlight that DM atmospheric ionization may be detected in
Jovian exoplanets using future high-precision measurements of planetary spectra.
A slightly oblate dark matter halo revealed by a retrograde precessing Galact...Sérgio Sacani
The shape of the dark matter (DM) halo is key to understanding the
hierarchical formation of the Galaxy. Despite extensive eforts in recent
decades, however, its shape remains a matter of debate, with suggestions
ranging from strongly oblate to prolate. Here, we present a new constraint
on its present shape by directly measuring the evolution of the Galactic
disk warp with time, as traced by accurate distance estimates and precise
age determinations for about 2,600 classical Cepheids. We show that the
Galactic warp is mildly precessing in a retrograde direction at a rate of
ω = −2.1 ± 0.5 (statistical) ± 0.6 (systematic) km s−1 kpc−1 for the outer disk
over the Galactocentric radius [7.5, 25] kpc, decreasing with radius. This
constrains the shape of the DM halo to be slightly oblate with a fattening
(minor axis to major axis ratio) in the range 0.84 ≤ qΦ ≤ 0.96. Given the
young nature of the disk warp traced by Cepheids (less than 200 Myr), our
approach directly measures the shape of the present-day DM halo. This
measurement, combined with other measurements from older tracers,
could provide vital constraints on the evolution of the DM halo and the
assembly history of the Galaxy.
Possible Anthropogenic Contributions to the LAMP-observed Surficial Icy Regol...Sérgio Sacani
This work assesses the potential of midsized and large human landing systems to deliver water from their exhaust
plumes to cold traps within lunar polar craters. It has been estimated that a total of between 2 and 60 T of surficial
water was sensed by the Lunar Reconnaissance Orbiter Lyman Alpha Mapping Project on the floors of the larger
permanently shadowed south polar craters. This intrinsic surficial water sensed in the far-ultraviolet is thought to be
in the form of a 0.3%–2% icy regolith in the top few hundred nanometers of the surface. We find that the six past
Apollo Lunar Module midlatitude landings could contribute no more than 0.36 T of water mass to this existing,
intrinsic surficial water in permanently shadowed regions (PSRs). However, we find that the Starship landing
plume has the potential, in some cases, to deliver over 10 T of water to the PSRs, which is a substantial fraction
(possibly >20%) of the existing intrinsic surficial water mass. This anthropogenic contribution could possibly
overlay and mix with the naturally occurring icy regolith at the uppermost surface. A possible consequence is that
the origin of the intrinsic surficial icy regolith, which is still undetermined, could be lost as it mixes with the
extrinsic anthropogenic contribution. We suggest that existing and future orbital and landed assets be used to
examine the effect of polar landers on the cold traps within PSRs
Keys of Identification for Indian Wood: A Seminar ReportGurjant Singh
Identifying Indian wood involves recognizing key characteristics such as grain patterns, color, texture, hardness, and specific anatomical features. These identification keys include observing the wood's pores, growth rings, and resin canals, as well as its scent and weight. Understanding these features is essential for accurate wood identification, which is crucial for various applications in carpentry, furniture making, and conservation.
Additionally, the application of Convolutional Neural Networks (CNN) in wood identification has revolutionized this field. CNNs can analyze images of wood samples to identify species with high accuracy by learning and recognizing intricate patterns and features. This technological advancement not only enhances the precision of wood identification but also accelerates the process, making it more efficient for industry professionals and researchers alike.
Testing the Son of God Hypothesis (Jesus Christ)Robert Luk
Instead of answering the God hypothesis, we investigate the Son of God hypothesis. We developed our own methodology to deal with existential statements instead of universal statements unlike science. We discuss the existence of the supernaturals and found that there are strong evidence for it. Given that supernatural exists, we report on miracles investigated in the past related to the Son of God. A Bayesian methodology is used to calculate the combined degree of belief of the Son of God Hypothesis. We also report the testing of occurrences of words/numbers in the Bible to suggest the likelihood of some special numbers occurring, supporting the Son of God Hypothesis. We also have a table showing the past occurrences of miracles in hundred year periods for about 1000 years. Miracles that we have looked at include Shroud of Turin, Eucharistic Miracles, Marian Apparitions, Incorruptible Corpses, etc.
SCIENTIFIC INVESTIGATIONS – THE IMPORTANCE OF FAIR TESTING.pptxJoanaBanasen1
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
download it
Transmission Spectroscopy of the Habitable Zone Exoplanet LHS 1140 b with JWS...Sérgio Sacani
LHS 1140 b is the second-closest temperate transiting planet to the Earth with an equilibrium temperature low enough to support surface liquid water. At 1.730±0.025 R⊕, LHS 1140 b falls within
the radius valley separating H2-rich mini-Neptunes from rocky super-Earths. Recent mass and radius
revisions indicate a bulk density significantly lower than expected for an Earth-like rocky interior,
suggesting that LHS 1140 b could either be a mini-Neptune with a small envelope of hydrogen (∼0.1%
by mass) or a water world (9–19% water by mass). Atmospheric characterization through transmission
spectroscopy can readily discern between these two scenarios. Here, we present two JWST/NIRISS
transit observations of LHS 1140 b, one of which captures a serendipitous transit of LHS 1140 c. The
combined transmission spectrum of LHS 1140 b shows a telltale spectral signature of unocculted faculae (5.8 σ), covering ∼20% of the visible stellar surface. Besides faculae, our spectral retrieval analysis
reveals tentative evidence of residual spectral features, best-fit by Rayleigh scattering from an N2-
dominated atmosphere (2.3 σ), irrespective of the consideration of atmospheric hazes. We also show
through Global Climate Models (GCM) that H2-rich atmospheres of various compositions (100×, 300×,
1000×solar metallicity) are ruled out to >10 σ. The GCM calculations predict that water clouds form
below the transit photosphere, limiting their impact on transmission data. Our observations suggest
that LHS 1140 b is either airless or, more likely, surrounded by an atmosphere with a high mean molecular weight. Our tentative evidence of an N2-rich atmosphere provides strong motivation for future
transmission spectroscopy observations of LHS 1140 b.
Collaborative Team Recommendation for Skilled Users: Objectives, Techniques, ...Hossein Fani
Collaborative team recommendation involves selecting users with certain skills to form a team who will, more likely than not, accomplish a complex task successfully. To automate the traditionally tedious and error-prone manual process of team formation, researchers from several scientific spheres have proposed methods to tackle the problem. In this tutorial, while providing a taxonomy of team recommendation works based on their algorithmic approaches to model skilled users in collaborative teams, we perform a comprehensive and hands-on study of the graph-based approaches that comprise the mainstream in this field, then cover the neural team recommenders as the cutting-edge class of approaches. Further, we provide unifying definitions, formulations, and evaluation schema. Last, we introduce details of training strategies, benchmarking datasets, and open-source tools, along with directions for future works.
Collaborative Team Recommendation for Skilled Users: Objectives, Techniques, ...
Methodology to align business and it policies use case from an it company
1. METHODOLOGY TO ALIGN BUSINESS AND IT POLICIES:
USE CASE FROM AN IT COMPANY
Christophe Feltus1
, Christophe Incoul1
, Jocelyn Aubert1
, Benjamin Gateau1
, André Adelsbach2
, and Marc Camy2
1
Public Research Centre Henri Tudor, Luxembourg
2
Telindus PSF, Luxembourg
Abstract: Governance of IT is becoming more and more necessary in the current financial economic situation. One declination of
that statement is the definition of corporate and IT policies. To improve that matter, the paper has for objective to propose a
methodology for defining policies that are closer to the business processes, and based on the strict definition of a responsibility model
that clarify all actor’s responsibility. This responsibility model is mainly defined based on the three concepts of capability, the
accountability and the commitment. The methodology is illustrated and validated based on a case study conducted in an IT
company.
Index Terms— Governance, Process model, Organizational model, Responsibility model, Policy Engineering, Business IT
Alignment.
I. INTRODUCTION
ccounting scandals of 2002 and more recently ongoing
market crisis highlight the importance of the Corporate
Governance and by consequence: Governance of IT.
Following those scandals, a lot of laws and standards were
published in order on one hand to guarantee the stability of
the financial sector and, by extension, to all sectors of the
industrial economy and in the other hand, to enhance the
governance all of these public and private companies.
Sarbanes-Oxley Act [1], Basel II [2] and EU Directive 95/46
[3] are some of these laws that aim at providing guarantees
over the company’s accountability. The ISO/EIC 38500:2008
[4] is one standard that provides a framework for effective
governance of IT. One of the main constraints imposed by
these laws and standards is to have responsibilities clearly
established and accepted internally by the collaborators and
externally by the stakeholders as well. Unfortunately, by
depicting the responsibility in a large range of IT oriented
frameworks, we come to the conclusion that no global
consensus over a responsibility model exists. The scope of
our review as targeted organizational models from the realm
of IT security, from access control models such as RBAC [7],
UCON [8] and OrBAC [9], up to framework for ICT
governance like Cobit and its RACI chart [10] or the service
management like ITIL [11]. We have also investigated the
area of requirement engineering, through the analyses of role
engineering methods like [12], [13], [14] and [15] and
through EAM (Enterprise Architecture Model) frameworks
like CIMOSA [16] or Togaf [17]. The importance of the
finding regarding the miss of a common understanding over
responsibility has oriented our research and as a
consequence, we propose in this paper firstly to introduce our
innovative responsibility model that has been elaborated
following the review and based on a global comprehension of
the concepts. This model has already been largely
commented in [5] and [6]. It has been designed to be a
structured representation of the responsibility necessary to
achieve a finite set of activities (like those encompassed in a
process). The three main components of the responsibility
model are Capability, Accountability and Commitment. The
capability describes the quality of having the required
qualities or resources to achieve a task, the accountability
describes the state of being answerable about the
achievement of a task, and the commitment is the
engagement of a stakeholder to fulfil a task and the assurance
he will do it. Hence, the usage of our model may not be
dissociated from the usage of those other models and when
we use them together, the organizational model is enhanced
with responsibility concept and is as a consequence closer to
governance requirements.
Fig. 1. Model aggregation
In Fig. 1, Governance requirements are those dictated by
newly arising laws and standards like the need for more
ethics, more commitment or more accountability. The
engineering of these requirements has been performed in [5]
and [6]. The responsibility model represents the model of
responsibility that has been designed based on these
requirements. The organizational model is the model to be
enhanced with the responsibility components and could be
for example the Cobit framework, the Cimosa framework or
a process based enterprise architecture. That last case has
already been investigated in previous work where a link has
been created between ISO/IEC 15504 and the responsibility
model [18].
Secondly the paper proposes a method to instantiate that
responsibility model based on the enterprise description. This
instantiated model is an intermediary model to be linked to
the organizational model (like a workflow). This method is a
five steps approach starting with a phase of information
collection and closing with a corporate policy. It exists a
plethora of definitions of policy. For the purpose of that
paper, we use the following interpretation that a policy is a
set of roles and responsibilities for a dedicated area of a
A
2. company or for a field of activity and consequently we decide
to illustrate the paper for policy of access control.
The remainder of the paper is organized as follows: the next
section introduces our innovative responsibility model,
Section III introduces the five steps of our proposed
methodology and illustrates it at the meantime by a real case
study from an IT company. Finally, Section IV concludes and
introduces future works.
II. RESPONSIBILITY MODEL
The cornerstone of the methodology we propose in this
article, and which we will detail in Section III, is based on the
concept of responsibility. The model of responsibility in Fig.
2 aims to be generic enough to be applied to all kinds of
organisations, at each abstraction layer and all domains of the
organisation. In short, the organisation represents a structure
that pursues collective goals. This structure encompasses
employees (users) playing roles and that are responsible to
perform processes’ activities. In this model, the notion of
sequence (the workflow) between the different
responsibilities is not represented. Indeed, these transitions
are already defined in the other organizational models
defining the process model like ISO/IEC 15504.
The notion of responsibility is widely used, but no unique
definition exists. According to the literature, we may
however state that commonly accepted definitions of
responsibility encompass the idea of having the obligation to
ensure that something happens. Our previous work [5] shows
that responsibility can be described as a set of three
additional elements that are Capability, Accountability and
Commitment. The relation between responsibility and the
three other concepts is of the form 0.* to 1. That means that
being responsible involves that the possibility to dispose of
many Capacities, Accountabilities and Commitment.
Fig. 2. Responsibility model
Capability describes the quality of having the required
qualities or resources to achieve a task. For instance, a
strategic capability for a given responsibility could be: “A
resource must know the strategic objectives of the
organisation”. An operational capability could be: “The
coach of the resources must have write access to the HR
software”.
Accountability describes the state of being accountable on the
achievement of a task. For instance, a strategic accountability
for a given responsibility could be: “A project leader must
achieve the financial Key Performance Indicators defined for
the project”. An operational accountability could be: “An IT
administrator must give access rights to specific resources of
the organisation to members of the project team”.
Finally, Commitment is the engagement of a stakeholder to
fulfil a task and the assurance that he will do it. For instance,
a strategic commitment for a responsibility could be:” The
Chief Financial Officer accepts to manage the accounting
department and not commit insider dealing”. An operational
commitment could be: “An employee of the procurement
staff accepts not to use the system for his personal use”.
The consistency between concepts may also be examined
based upon the assumption that the capability needed for
assuming a responsibility corresponds to the accountability of
another responsibility (belonging to another user or role).
Both responsibilities’ components capability and
accountability are strongly linked to each other [5]. An
accountability of a role or a person can permit to deduce
capability of another role or person and conversely a
capability stems from accountability (e.g.: The capability
‘‘The coach of the resources must have write access to the
HR software’’ stems from the accountability ‘‘An IT
administrator must give access rights to specific resources
(HR software) of the organization to the coach’’).
III. METHODOLOGY
The methodology described in this section has for objective
to explain how to define the enterprise IT policies according
to the responsibility model. This methodology is a five steps
approach. To facilitate the understanding, we illustrate each
step with a case study.
Fig. 3. SIM Methodology
3.1 STEP 1. Collect of information
The first step has for objective to define the context and to
collect each component that will be formalized in the policy.
3. STEP 1 input: Inputs of step 1 are elements collected from
business case studies, business processes, business
procedures, and effective practices in the enterprise.
STEP 1 output: Output of step 1 is a formalized and
structured synthesis of the process in natural language.
STEP 1 actions: The actions performed at this step
encompass a number of activities to collect information about
the process and the responsibility components. These
activities are interviews of the key members of the personnel,
analyses of existing process descriptions, analysis of
enterprise referential like the ISO 9000 quality book.
By these activities, we can summarize by: process
responsibilities as well as their composing elements, like
accountabilities, capabilities, and commitments. The existing
relations between responsibilities and responsibility
components.
To illustrate that methodology, we describe this first step
based on a case study. Telindus Luxembourg SA is an ICT
company within the Belgacom Group, offering its services in
the field of telecommunications and information systems.
Telindus SA is ISO 9001 certified and, as such, formally
defined several processes. For the case study the process of
customer complaints will be analysed.
The customer complaints procedure in Fig. 4 defines the
process of opening, the pursuing and the closing of customer
complaints in order to resolve complaints with a short delay
and, thereby, further improving customer satisfaction.
Complaints are registered in a central complaint database and
assigned to an owner. A central complaint database is used to
track complaints throughout their lifecycle and documenting
actions that have been taken to resolve them, but also the
lessons learned to prevent similar complaints or supporting
their resolution more effectively in the future.
Fig. 4. Contestation Client process workflow
3.2 STEP 2 Graphic diagram
The second step translates the process from natural language
into a graphical representation.
STEP 2 input: Input of Step 2 is the synthesis achieved in
step 1.
STEP 2 output: Output of Step 2 is a graphical representation
of the responsibility framework of the analysed process. It
encompasses a representation of the responsibility and its
components, and the links between components. The Fig.9 is
an example of result obtained with the Telindus Case study.
STEP 2 actions: The actions performed at that step are
composed of three sub-tasks.
Sub-task 1: Definition of each responsibility and transcription
of it using boxes. Each box stands for a responsibility; it
encompasses its accountabilities and its capabilities. An
example identified within the case study is the responsibility
“Creation of Complaint Report” in the contestation process.
Sub-task 2: For each responsibility, an analysis of the
required capabilities is made and is translated through a box
in the corresponding responsibility box. The same operation
is performed for the accountabilities. The “Creation of
Complaint Report” responsibility requires the capability to
receive customer complaints and write access to the central
complaint database. Accountabilities of this responsibility
are, amongst others, to register the complaint in the database.
Sub-task 3: This last sub-task consists in the definition of
links between responsibilities components. Four kinds of
links exist:
- Delegation link constituting the delegation of a
responsibility’s accountability toward another responsibility.
The responsibility of the achievement of the task is
transferred to another responsibility, but the state of being
answerable about the achievement of the task persists for the
delegating responsibility.
Fig. 5. Delegation link
For instance, Fig. 5. represents a delegation of the
accountability #ACC_1 of the responsibility
Responsibility#A towards the responsibility
Responsibility#B. In the case study the accountability
“validation of complaint” of the responsibility “Creation of
Complaint Report” is delegated to the responsibility
“Confirmation/Validation of Complaint”.
- Implication link representing the connection
between the accountability of one responsibility with the
capability of another responsibility. It permits to formulate
that this accountability is needed to provide and guarantee a
capability to another responsibility.
It is important to note that an accountability of a
responsibility may not aim at providing capability to the
same responsibility. Conceptually, this situation would mean
that this responsibility is divisible in two responsibilities.
4. Fig. 6. Implication link
For instance, Fig. 6. illustrates that the accountability
#ACC_1 of the responsibility Responsibility#A implies the
capability #CAP_1 of the responsibility Responsibility#2. As
an example consider the implication from accountability
“Assure the first level of complaint closure” (“Resolution
Acknowledgement” responsibility) to the capability
“Acknowledgement of the complaint closure”.
- Contribution link highlighting that one
responsibility’s accountability contributes to another
accountability of the same responsibility. Accountabilities
results can be used as input for others accountabilities.
Fig. 7. Contribution link
For instance, Fig. 7. represents that the accountability
#ACC_1 contributes to the accountability #ACC_2 of the
same responsibility Responsibility#A. Considering the case
study (Figure 9), we see that accountability “Register the
complaint in the database” contributes to the accountability
“Assign complaint to the RBL technical or commercial
assistant”, because the complaint can be assigned by the
database when registering it.
- Execution link formalizing that a capability of a
responsibility is necessary to execute an accountability of the
same responsibility.
Fig. 8. Execution link
For instance, Fig. 8. illustrates that the capability #CAP_1 is
needed to achieve the accountability #ACC_1 (written inside
brackets in the capability CAP_1 definition). The capability
#CAP_2 is needed for achieving both accountabilities
#ACC_1 and #ACC_2 (because of the #ALL reference
written inside brackets).. An example from the case study is
that the capability “read access rights in the complaints
database” is needed to “Verify the evolution of the complaint
until closure” (responsibility “Follow-up of the taken
actions”)
3.3 STEP 3 Responsibility’s components links verification
This third step of the methodology is the first refining step. It
aims at analysing the graphical representation of the process
issued from Step 2, depicting and eliminating inconsistencies
from the diagram.
STEP 3 input: Input of Step 3 is the process graphical
representation issued from Step 2.
STEP 3 output: Output of Step 3 is a graphical representation
of the responsibility framework of the analysed process
refined according to the components relationships.
STEP 3 actions: The actions performed at that step are
composed of three sub-tasks.
Sub-task 1: Deep analysis of the capability components for
each responsibility. The main objectives of this analysis are
to detect and solve the problem of unnecessary capabilities.
Capabilities may be unnecessary in the case of useless
capabilities for the achievement of accountabilities of the
same responsibility. This means that they do not have
execution links. To face this inconsistency, it is necessary to
suppress the capability.
Sub-task 2: Deep analysis of the accountability components
for each responsibility. The main objective of this analysis is
to make sure of that all accountabilities are provided and
exist in the model, and to assure that all accountabilities are
necessary. Some accountabilities are not fully justified if:
a. No link exist between the accountability with one or
more capabilities in the process. That means that
there’s no implication link starting from the
accountability
b. No link exist between the accountability and another
responsibility. That means that there’s no delegation
link starting from this accountability
c. The accountability does not contribute to achieve the
outcome of the process.
Sub-task 3: Once accountabilities are verified, it is possible to
check that all capabilities necessary for their achievement
exist.
3.4 STEP 4 Responsibility’s exceptions links verification
This fourth step of the methodology is the second refining
step. As step 3, it aims at analysing the graphical
representation of the relation within the process, in order to
depict inconsistencies and correct the graph to eliminate them
if necessary.
STEP 4 input: Input of Step 4 is the process graphical
representation issued from Step 3.
STEP 4 output: Output of Step 4 is a graphical representation
of the responsibility framework of the analysed process
refined according the relationship between components.
5. Fig. 9. Contestation Client Process responsibility model
STEP 4 actions: The activity of that step aims at detecting
and correcting conflicts and incoherencies with regard to
responsibility rules dictated by the enterprises, for example:
- Delegation rules. The organisation should define
rules for delegation, which must be complied. Example of
that delegation rules are: if a responsibility is delegated, all
the capabilities necessary for it are also delegated and the
accountability may be kept by the delegator or given to the
delegate but not both at the same time. Some conflict may
exist regarding that rule.
- Separation of duties. Some corporate rules may
impose the separation of duties for some responsibility
components. At this step, a check has to be done, in order to
detect responsibility components that can potentially confer
too much power, in order to prevent frauds or errors. It is
traditionally the case of the accountability to order product
and the accountability to validate the invoice of the product
order. In order to emend such business defects, a
dissemination of responsibility components among multiple
responsibilities has to be done.
- Cardinality constraints. The responsibility graph
needs also to be checked at this step for alignment with
cardinality requirement. E.g.: the number of accountabilities
handled by a same responsibility is sometimes limited in
order to avoid an unjustified increasing working. This
constraint is to be balanced according to the work effort
necessary for achieving each accountability.
3.5 STEP 5 Policy elicitation
This last step of our methodology aims at derogating policies
from the responsibility model.
STEP 5 input: Input of step 5 is the process graphical
representation issued from step 4.
STEP 5 output: Output of step 5 is a set of context dependant
policies.
STEP 5 actions: The activity of that step aims at translating
the responsibility graph in given policy format.
Sub-task 1: Each responsibility is assigned to an
organisational role (such as Project Manager). In other words,
capabilities and accountabilities of each responsibility are
allocated to the roles. Different checks have to be done on
this first instantiated model, in order to detect inconsistencies.
Compliance to rules, checked during the previous step is
again tested. For example, separation of duties (a
responsibility can be protected against abuse of power, but
the combination of two responsibilities for the same role may
enable abuse) or cardinality constraints (individually a load
of work for a responsibility can be supportable, but the
6. combination of many responsibilities may become
insufferable. This check may include not only the current
process level but also the organisational level).
Sub-task 2: Combining the role instantiated diagram and a set
of roles allocated to organisation stakeholders, the diagram is
instantiated to stakeholders, in which capabilities and
accountabilities of responsibilities are allocated to
stakeholders. Again, checks have to be done, in order to
detect inconsistencies at this step (in the case of stakeholder
having different process involved roles).
Fig. 10 Responsibilities instantiation
Sub-task 3: At this step, the diagram includes all minimum
rights required by all the involved stakeholders for achieving
process (by achieving all accountabilities). Using this
responsibilities distribution, IT policies can be inferred using
capabilities as authorizations, and accountabilities as
obligations. A possible representation of these policies,
described in [18], is the declarative control policy language
XACML. Afterwards, the policy is deployed on the IT
resources via a multi-agent system.
IV. CONCLUSIONS AND FUTURE WORKS
In the current economic context, improving ICT governance
is an important matter. We propose in this paper to improve
that field by introducing our formalization of the
responsibility in an innovative responsibility model. This
model is valuable when it is linked to another existing
organizational model like Cobit or Cimosa and brings to that
organizational model more guarantees regarding corporate
governance requirements. The paper proposes also a
methodology allowing defining, structure and managing the
organization’s responsibilities. To enhance and validate our
work, we have deployed the methodology using the
‘‘Customer Complaints’’ process of Telindus Luxembourg
SA. The case study lead on the one hand to potential
improvements of the customer complaint process, while, on
the other hand, it allowed to validate the methodology, but
also to identify interesting ways of improving and extending
it in future research.
Future works, based on the conclusion of the case study, will
consist on improving the methodology with the addition of a
global iterative refining layer. This layer aims at refining the
responsibility models of the same domain together.
V. ACKNOWLEDGEMENT
The results presented in this paper are a contribution from the
SIM (Secure Identity Management) project and the RED
(Reaction After Detection) project [19].
VI. REFERENCES
[1] P. S.Sarbanes and M. Oxley, “Sarbanes-Oxley Act of 2002”, 2002.
[2] Bank for International Settlements BIS: International Convergence of
Capital Measurement and Capital Standards: Revised Framework –
Comprehensive Version, 2006.
[3] European Union: Directive 95/46/EC of the European Parliament and
of the Council. Official Journal of the European Communities, pp. 28-
31, 1995.
[4] ISO/IEC 15504, “Information Technology – Process assessment”,
(parts 1-5), 2003-2006
[5] Christophe Feltus, André Rifaut, An Ontology for Requirements
Analysis of Managers’ Policies in Financial Institutions, I-ESA2007,
Madeira, Portugal.
[6] André Rifaut, Christophe Feltus, Improving Operational Risk
Management Systems by Formalizing the Basel II Regulation with
Goal Models and the ISO/IEC 15504 Approach, REMO2V’2006,
Luxembourg
[7] D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R.Kuhn and R.
Chandramouli, Proposed NIST Standard for Role-Based Access
Control, ACM Transactions on Information and System Security, Vol.
4, No. 3, August 2001, Pages 224-274.
[8] R. Sandhu, J. Park, Usage Control: A Vision for Next Generation
Access Control, The Second International Workshop on Mathematical
Methods, Models and Architectures for Computer Networks Security,
2003.
[9] Abou El Kalam, A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens,
F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G. (2003),
Organization-Based Access Control, IEEE 4th International
Workshop on Policies for Distributed Systems and Networks
(Policy’03), 4-6 juin 2003, Côme, Italie, pp 120-131
[10] Control Objectives for Information and Related Technology (COBIT),
Information Systems Audit and Control Association,
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/Ta
ggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
[11] U.K. Office of Government Commerce, “A Code of Practice for IT
Service Management,” in Service Support, ITIL Managing Services,
Stationery Office, London, United Kingdom (2005), Section 7.8,
http://www.tsoshop.co.uk/bookstore.asp?FO=1159966&Action=Book
&ProductID=0113300158.
[12] Bertino, E., Mileo, A., and Provetti, A. 2005. PDL with Preferences.
IEEE international Workshop on Policies For Distributed Systems and
Networks, Policy 2005 – Vol. 00, IEEE Computer Society,
Washington, DC, 213-222.
[13] Yu, E. S. and Liu, L. 2001. Modelling Trust for System Design Using
the i* Strategic Actors Framework. Workshop on Deception, Fraud,
and Trust in Agent Societies Held During the Autonomous, Eds.
Lecture Notes In Computer Science, vol. 2246. Springer-Verlag,
London, 175-194.
[14] A. Antón, Goal-Based Requirements Analysi,. Second ICRE’96,
Colorado Springs, USA, 1996.
[15] Robert Crook, Darrel Ince, Bashar Nuseibeh, Towards an Analytical
Role Modelling Framework for Security Requirements, Security
Requirements Group, Departement of Computing, The Open
University, Walton Hall, Milton Keynes, MK7 6AA, UK.
[16] Vernadat F. B., Enterprise Modelling and Integration, Chapman &
Hall, London (1995), ISBN 0-412-60550-3
[17] Togaf (2007), The Open Group Architecture Framework (TOGAF
8.1.1 'The Book'), 2007 Edition , Van Haren Publishing.
[18] Gateau, B., Feltus, C., Aubert J., Incoul, C. (2008), An Agent-based
Framework for Identity Management: The Unsuspected Relation with
ISO/IEC 15504, RCIS 2008, Morocco.
[19] http://projects.celtic-initiative.org/red/?Dissemination:Publications
Manuscript received September 30, 2008. Corresponding author: C. Feltus
(e-mail: christophe.feltus@tudor.lu)